RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]

Hai-May Chao hchao at openjdk.org
Mon Oct 30 22:01:04 UTC 2023

On Mon, 30 Oct 2023 14:14:25 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 178:
>>> 176:          * the jdk.tls.maxCertificateChainLength property will not override
>>> 177:          * the values.
>>> 178:          */
>> English is not my native language, but I have some comment on the wording. Normally we don't say `maxCertificateChainLength` overrides `maxInboundCertificateChainLength`. In fact, it is `maxInboundCertificateChainLength` that _overrides_ `maxCertificateChainLength`. When `maxInboundCertificateChainLength` is not set, it _fallbacks_ to `maxCertificateChainLength` (if set) or a _default_ value (8).
> I agree that wording is more clear. We should also update the RN with that wording.

This section of comments was taken from the CSR. I updated the comments as follows. If it looks fine, I will update the related doc. Thanks!

         * If either jdk.tls.server.maxInboundCertificateChainLength or
         * jdk.tls.client.maxInboundCertificateChainLength is set, it will
         * override jdk.tls.maxCertificateChainLength, regardless of whether
         * jdk.tls.maxCertificateChainLength is set or not.
         * If neither jdk.tls.server.maxInboundCertificateChainLength nor
         * jdk.tls.client.maxInboundCertificateChainLength is set, the behavior
         * depends on the setting of jdk.tls.maxCertificateChainLength. If
         * jdk.tls.maxCertificateChainLength is set, it falls back to that
         * value; otherwise, it defaults to 8 for
         * jdk.tls.server.maxInboundCertificateChainLength
         * and 10 for jdk.tls.client.maxInboundCertificateChainLength.
         * Usesrs can independently set either
         * jdk.tls.server.maxInboundCertificateChainLength or
         * jdk.tls.client.maxInboundCertificateChainLength.


PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1376841239

More information about the security-dev mailing list